Skip to main content
Configure your repo so agents and automations can’t merge code without human approval. This is a best practice that teams should follow regardless of whether they use Charlie or not.
This is a customer-configured GitHub control, not a Charlie product guarantee. Your organization owns the configuration and GitHub enforces them. Charlie cannot bypass GitHub rulesets.

Before you start

  • Ensure you have a GitHub team that includes every trusted human who should approve PRs. You can use an existing team, such as engineering, or create one.
  • Ensure your repo is organization-owned. GitHub’s team reviewer requirements are not available for user-owned repos.
  • Ensure your GitHub plan and repo type support rulesets and required reviewers.

Configure the merge gate

Create a branch ruleset for main and any release branches that need the same protection. Configure it to:
  1. Require changes to arrive through a pull request.
  2. Require one approval from the team with the humans who can approve PRs.
The rule is simple: agents can propose and review code; a human must explicitly approve before it merges. See GitHub’s ruleset rule reference for the current controls and reviewer requirements.

FAQ

Should we use CODEOWNERS instead?

Use CODEOWNERS when the required human reviewer depends on the files changed—for example, require Security for authentication code and Platform for infrastructure. Add the relevant team to CODEOWNERS, then enable Require review from Code Owners in the ruleset. A code-owner team must be visible and have write access; if multiple owners match, approval from any one of them is sufficient. GitHub Docs

How do we do this with classic branch protection?

Classic branch protection does not offer direct required-team approval quotas. Put the human team in CODEOWNERS—using a catch-all pattern if it should review every PR—and enable Require review from Code Owners. GitHub Docs

Should we dismiss stale approvals?

For stronger protection, enable Dismiss stale pull request approvals when new commits are pushed. This invalidates approvals when the reviewed diff changes, requiring a human to approve the updated code. GitHub Docs

What is the trust boundary?

Keep the team used for required reviews human-only, do not give agents bypass or admin permissions, and protect human credentials. GitHub cannot distinguish an agent using a human’s account or token from that human.

Do auto-merge and merge queue bypass the gate?

No. Auto-merge waits for merge requirements to pass. A merge queue also applies the branch’s merge requirements. Verify both in your repository because layered rulesets and branch protection can add more conditions.